JS: Add @kind problem meta queries

2026-04-28 18:25:24 +02:00 · 2021-02-18 14:54:59 +00:00
parent fbca06f4e1
commit 3fb810b540
5 changed files with 121 additions and 17 deletions
--- a/javascript/ql/src/meta/alerts/CallGraph.ql
+++ b/javascript/ql/src/meta/alerts/CallGraph.ql
@@ -0,0 +1,15 @@
+/**
+ * @name Call graph
+ * @description An edge in the call graph.
+ * @kind problem
+ * @problem.severity recommendation
+ * @id js/meta/alerts/call-graph
+ * @tags meta
+ * @precision very-low
+ */
+
+import javascript
+
+from DataFlow::InvokeNode invoke, Function f
+where invoke.getACallee() = f
+select invoke, "Call to $@", f, f.describe()
--- a/javascript/ql/src/meta/alerts/TaintSinks.ql
+++ b/javascript/ql/src/meta/alerts/TaintSinks.ql
@@ -0,0 +1,15 @@
+/**
+ * @name Taint sinks
+ * @description Sinks that are sensitive to untrusted data.
+ * @kind problem
+ * @problem.severity recommendation
+ * @id js/meta/alerts/taint-sinks
+ * @tags meta
+ * @precision very-low
+ */
+
+import javascript
+import meta.internal.TaintMetrics
+
+from string kind
+select relevantTaintSink(kind), kind + " sink"
--- a/javascript/ql/src/meta/alerts/TaintSources.ql
+++ b/javascript/ql/src/meta/alerts/TaintSources.ql
@@ -0,0 +1,23 @@
+/**
+ * @name Taint sources
+ * @description Sources of untrusted input.
+ * @kind problem
+ * @problem.severity recommendation
+ * @id js/meta/alerts/taint-sources
+ * @tags meta
+ * @precision very-low
+ */
+
+import javascript
+import meta.internal.TaintMetrics
+
+string getName(DataFlow::Node node) {
+  result = node.(RemoteFlowSource).getSourceType()
+  or
+  not node instanceof RemoteFlowSource and
+  result = "Taint source"
+}
+
+from DataFlow::Node node
+where node = relevantTaintSource()
+select node, getName(node)
--- a/javascript/ql/src/meta/alerts/TaintedNodes.ql
+++ b/javascript/ql/src/meta/alerts/TaintedNodes.ql
@@ -0,0 +1,31 @@
+/**
+ * @name Tainted expressions
+ * @description The number of expressions reachable from a remote flow source
+ *              via default taint-tracking steps.
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags meta
+ * @id js/meta/alerts/tainted-nodes
+ * @precision very-low
+ */
+
+import javascript
+import meta.internal.TaintMetrics
+
+class BasicTaintConfiguration extends TaintTracking::Configuration {
+  BasicTaintConfiguration() { this = "BasicTaintConfiguration" }
+
+  override predicate isSource(DataFlow::Node node) { node = relevantTaintSource() }
+
+  override predicate isSink(DataFlow::Node node) {
+    // To reduce noise from synthetic nodes, only count value nodes
+    node instanceof DataFlow::ValueNode and
+    not node.getFile() instanceof IgnoredFile
+  }
+}
+
+// Avoid linking to the source as this would upset the statistics: nodes reachable
+// from multiple sources would be counted multilpe times, and that's not what we intend to measure.
+from DataFlow::Node node
+where any(BasicTaintConfiguration cfg).hasFlow(_, node)
+select node, "Tainted node"
--- a/javascript/ql/src/meta/internal/TaintMetrics.qll
+++ b/javascript/ql/src/meta/internal/TaintMetrics.qll
@@ -31,29 +31,49 @@ private import semmle.javascript.security.dataflow.ZipSlipCustomizations
 * Examples of excluded queries:
 * - UnsafeDynamicMethodAccess: high severity (RCE) but has way too many sinks (every callee).
 * - ClearTextLogging: not severe enough relative to number of sinks.
+ *
+ * `kind` is bound to the name of the module containing the query sinks.
 */
-DataFlow::Node relevantTaintSink() {
+DataFlow::Node relevantTaintSink(string kind) {
  not result.getFile() instanceof IgnoredFile and
  (
-    result instanceof ClientSideUrlRedirect::Sink or
-    result instanceof CodeInjection::Sink or
-    result instanceof CommandInjection::Sink or
-    result instanceof Xss::Shared::Sink or
-    result instanceof NosqlInjection::Sink or
-    result instanceof PrototypePollution::Sink or
-    result instanceof RegExpInjection::Sink or
-    result instanceof RequestForgery::Sink or
-    result instanceof ServerSideUrlRedirect::Sink or
-    result instanceof SqlInjection::Sink or
-    result instanceof TaintedPath::Sink or
-    result instanceof UnsafeDeserialization::Sink or
-    result instanceof XmlBomb::Sink or
-    result instanceof XpathInjection::Sink or
-    result instanceof Xxe::Sink or
-    result instanceof ZipSlip::Sink
+    kind = "ClientSideUrlRedirect" and result instanceof ClientSideUrlRedirect::Sink
+    or
+    kind = "CodeInjection" and result instanceof CodeInjection::Sink
+    or
+    kind = "CommandInjection" and result instanceof CommandInjection::Sink
+    or
+    kind = "Xss" and result instanceof Xss::Shared::Sink
+    or
+    kind = "NosqlInjection" and result instanceof NosqlInjection::Sink
+    or
+    kind = "PrototypePollution" and result instanceof PrototypePollution::Sink
+    or
+    kind = "RegExpInjection" and result instanceof RegExpInjection::Sink
+    or
+    kind = "RequestForgery" and result instanceof RequestForgery::Sink
+    or
+    kind = "ServerSideUrlRedirect" and result instanceof ServerSideUrlRedirect::Sink
+    or
+    kind = "SqlInjection" and result instanceof SqlInjection::Sink
+    or
+    kind = "TaintedPath" and result instanceof TaintedPath::Sink
+    or
+    kind = "UnsafeDeserialization" and result instanceof UnsafeDeserialization::Sink
+    or
+    kind = "XmlBomb" and result instanceof XmlBomb::Sink
+    or
+    kind = "XpathInjection" and result instanceof XpathInjection::Sink
+    or
+    kind = "Xxe" and result instanceof Xxe::Sink
+    or
+    kind = "ZipSlip" and result instanceof ZipSlip::Sink
  )
 }

+/** Gets a relevant taint sink. See `relevantTaintSink/1` for more information. */
+DataFlow::Node relevantTaintSink() { result = relevantTaintSink(_) }
+
 /**
 * Gets a remote flow source or `document.location` source.
 */